PCI Security Compliance Challenges and Best Practices

October 7, 2019 | Views: 1415

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Today’s economy is a digital one, and a big part of that is thanks to the emergence of credit and debit cards. We may not yet be an entirely cashless society, but try to book a concert ticket in advance or order a product from the other side of the world. It will soon become apparent how much we rely on these small pieces of plastic for our everyday purchases. Likewise, if you have a business with an online presence, or if you want to grow your business, you will almost certainly need to offer a cashless payment option.

Begin FREE PCI/DSS Course >>

Payment cards are a convenient and efficient way to make transactions, but they can also be a liability. If you use a payment application, or if you handle payment card information, you need to ensure that this information is protected. The reason for this is to protect your customers but also to cover your legal obligations to comply with policies such as the PCI DSS. Failure to comply could result in devastating consequences, and could even mean the end of your business.

I’ll be discussing the challenges involved in complying with PCI security standards and offer some best practices that can help you meet your obligations.

What Is PCI and What Does It Mean for Your Business?

PCI DSS stands for Payment Card Industry Data Security Standard, which is an industry-standard developed in 2006 to protect credit card data over transactions. The PCI Security Standards Council (PCI SSC) enforces these guidelines, which includes major credit card companies like Visa, MasterCard, American Express, Discover, and JCB.
Compliance with PCI standards is of the utmost importance for merchants. The consequences of using a non-PCI certified provider could amount to thousands of dollars in fines as well as class action lawsuits.

Nowadays, credit card fraud is the most common kind of security crime, costing billions of dollars to organizations each year. Compliance with PCI DSS is a must for every company that accepts credit card payments, no matter how small, to protect customer data and payment information.

How Do You Comply with PCI?

To become PCI-certified, a payment provider must follow a plan consisting of twelve requirements to cover six general goals.

PCI DSS Compliance 12 step plan 

Secure network and systems

1 – Install and maintain a firewall

2 – Don’t use vendor-supplied defaults for passwords and other security criteria

Cardholder data protection

3 – Protect the cardholder data in storage.

4 – Encrypt all transmissions of cardholder data.

Security and vulnerability protection

5 – Deploy and maintain anti-malware and antivirus protection

6 – Install and update secure applications and systems. 

Access control measures

7 – Control access to  cardholder data on a need-to-know basis

8 – Authenticate access assigning a single ID to each user with entry permission. 

9 – Control physical access to sensitive information. 

Network monitoring and testing

10 – Monitor and track all user access to cardholder data and network resources

11 – Test security systems and processes regularly

Information security policy 

12 – Develop and maintain an information security policy for all staff with access to data. 

To validate the PCI compliance, a company has two options, complete the self-assessment questionnaire (SAQ) or contract with a qualified security assessor (QSA). SAQ is a list of questions to evaluate your compliance level, after which you submit it with your quarterly reports to the relevant organization. QSAs are trained professionals that evaluate PCI compliance through security assessments. Keep in mind, that each credit card company has its policy regarding compliance validation levels.
New Guidelines for Software Vendors

In January 2019, the PCI SCC released new guidelines for software providers that develop payment applications.
The new PCI software security framework will replace the current requirements of the PCI payment application data security standard (PCI PA -DSS).
These PCI software standards include security requirements and assessment procedures to protect the transactions information and cardholder data, and guidelines to improve security across software development.

5 Challenges of PCI Compliance

For companies looking to comply with the PCI standard, adherence to each of the twelve steps can present some challenges. The Security Standards Council addresses the most common problems and risks in its information supplement1. Let’s delve into the five most common issues and how to solve them:

  1. Defining the scope of business—PCI requirements vary according to the company transaction activity. The standard defines four levels ranging from fewer than 20,000 transactions a year to more than six million card transactions a year. The first thing to do is to determine which category your company belongs. The difference goes from validating compliance through an SAQ to a quarterly network scan along with an annual audit.
  2. Addressing the technical aspects—the technical complexity of the compliance process can be burdensome even if your organization does have a dedicated team to manage PCI compliance, details can be easily overlooked. Getting external support can help speed up the compliance process by giving an extra hand to your team.
  3. Non-compliant payment collection systems—can be a problem for companies trying to comply with requirement 7 of the PCI DSS standard. Ideally, a payment solution keeps cardholder data encrypted during traffic and hidden while in storage, and that is compromised when using legacy systems to collect ad-hoc payments. The only solution is to use a collection system that is compliant from the start.
  4. Not testing the systems regularly—many organizations need to designate a team to comply with requirement 11. This requires organizational changes, including schedule testings and reporting. Thus many companies find it challenging to implement.
  5. Lack of control on the traffic and usage of cardholder data—issues as allowing third parties access to cardholder data without checking their compliance, storing card data when not necessary.

5 Best Practices in PCI Compliance

The consequences of not maintaining compliance can mean hundreds of thousands of dollars in losses from an attack or a credit card fraud. PCI compliance is your first line of defense in your payment system security. Fortunately, there are a few best practices you can use to minimize risk and protect your customers’ data:

  1. Check and control point of sale (POS) terminals—controlling your point of sale terminal means to check for card skimmers, who usually operate in self-checkout kiosks, update the software regularly and only buy the terminals from known vendors.
  2. Change manufacturers passwords—not only is a requirement of PCI compliance, but it makes sense as manufacturers passwords are meant to be used only for installation.
  3. Use compliance as an aid to security—the goal is to minimize threats, compliance helps to mitigate risks associated with credit card transactions. You can achieve this by following the requirements and everyday common-sense practices as using credit card data only on a need-to-know basis.
  4. Secure your networks—control access to the data, encrypt the data in traffic. Control that third party access also complies with the requirements, and in doubt, isolate them, to avoid cases like the Saks Fifth Avenue/Lord &Taylor hack2. When working with a container configuration, control that inter-container traffic is encrypted, and how the different containers can talk to each other.
  5. Assess, remediate, and report—compliance is an ongoing process, and it requires remediation measures, such as an incident response policy3. Monitor regularly the PCI DSS standards to confirm compliance, if not, remediate the problem, and report the case in a compliance statement.
  6.  

    Start Learning PCI/DSS Today:

     

    Conclusion

    Whether your company is a small business or a large organization processing millions of transactions a year, protecting your customers’ data is a must to avoid hefty fines and costly attacks.

    I’ve discussed how compliance with PCI standards help organizations to stay ahead of attackers and protect their customers’ trust. Now you are equipped with tips and best practices to implement the compliance requirements smoothly.

     

    References:
    1. https://blog.pcisecuritystandards.org/update-to-maintaining-compliance-information-supplement
    2. https://www.nytimes.com/2018/04/01/technology/saks-lord-taylor-credit-cards.html
    3. https://www.exabeam.com/incident-response/incident-response-policy/

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel